When configuring Microsoft Outlook (not Outlook Express) to access an LDAP directory, there is an option to 'Enable Browsing (requires server support)'. If this option is chosen and the directory server supports it, then you should be able to open the LDAP address book and page up and down through the results. I have been unable to get this working properly with 389 DS.
When I try to browse from Outlook against the 389 DS directory, I am able to see the first page of results perfectly. However, if I move to the next page, only the first object returned will have any attributes included, and all of the rest of the objects in the page will have no attributes. I have a test perl script that duplicates this functionality as well.
I can get this to work properly with an older version of Netscape Directory Server, and I can get it working with OpenDS. Since 389 DS advertises support for the controls that are required for this to work, just like the other two servers, then I would expect it to work there also.
Has anyone out there gotten this to work with 389 DS? If so, can you share if there was anything special that you needed to do to get this to work? I'm trying to determine if this is a bug in the server, or if I'm just missing something in the configuration.
You Run Your Business. We'll Run Your Email.
This message is for the sole use of the intended recipient(s) and may contain confidential and/or privileged information of USA.NET, Inc. Any unauthorized review, use, copying, disclosure, or distribution is prohibited. If you are not the intended recipient, please immediately contact the sender by reply email and delete all copies of the original message.
How to modify the attribute nsslapd-encryptionalgorithm in Centos?
Stop Master servers and set nsslapd-encryptionalgorithm. The allowed value is AES or 3DES.
--- Em ter, 4/6/13, Rich Megginson <rmeggins(a)redhat.com> escreveu:
De: Rich Megginson <rmeggins(a)redhat.com>
Assunto: Re: [389-users] changelog
Para: "Denise Cosso" <guanaes51(a)yahoo.com.br>
Data: Terça-feira, 4 de Junho de 2013, 16:34
On 06/04/2013 01:26 PM, Denise Cosso
CentOS release 6.3 (Final)
As far as replication goes - you will need to use a security layer
(SSL, TLS, or GSSAPI) to protect the clear text password on the wire
As far as encrypting it in the changelog - not sure
--- Em ter, 4/6/13, Rich Megginson <rmeggins(a)redhat.com>
De: Rich Megginson <rmeggins(a)redhat.com>
Assunto: Re: [389-users] changelog
Para: "General discussion list for the 389 Directory
Cc: "Denise Cosso" <guanaes51(a)yahoo.com.br>
Data: Terça-feira, 4 de Junho de 2013, 16:11
06/04/2013 12:39 PM, Denise Cosso wrote:
Description of problem:
When a userPassword is changed in a server with changelog, the hashed password
is logged and also a cleartext pseudo-attribute version. It looks like this:
This unhashed version is used in winsync where the cleartext version of the
password must be written to the AD.
Now if the DS is involved in replication with another DS, the change will be
replayed exactly as it is logged to the other DS replicas, including the
cleartext pseudo-attribute password.
What platform? What version of 389-ds-base are you
389 users mailing list
I got 389 running on a remote linux box,and I would like to get use of
the Console without the need of exporting the X-Windows whenever I want
to make a change as I also would prefer not to keep tweaking the
configuration files all the time.
is there anyway of doing this through any remote client?
Any advise on this matter?
Thanks very much
We need to implement password expiration because of some policy. The
problem is users are not able to bind to ldap anymore, after I switch on
password expiration for our ou=People subtree . The ldap command line
tools and 389-console both just hang forever when trying to connect.
This happens even when the user changes the password right before
switching on the password expiration so the password cannot be expired
yet. When I use the wrong password, then I get "ldap_bind: Invalid
credentials (49)", but when I use the correct password, then it's just a
hang. If I switch off password expiration then everything returns to
normal again. I've followed the guide at
I've tried both 389ds 126.96.36.199 on CentOS 6 and 389ds 188.8.131.52 on Fedora
20 with the same results.
Is password expiration working in 389ds at all?
Thanks in advance,
Need to configure sasl mecanism so that i can use DIGEST-MD5 mechanism with
my autofs configuration. With PLAIN it is working fine but need to use
DIGEST-MD5. Where i can specify.
[root@ibm001 ~]# cat /etc/autofs_ldap_auth.conf
<?xml version="1.0" ?>
This files contains a single entry with multiple attributes tied to it.
See autofs_ldap_auth.conf(5) for more information.
Thanks & Regards
Dhiraj S. Deshpande
I'm planing to migrate some of my servers to 1.3 branch and I don't know what packages to use.
I've found packages from mreynolds: http://copr.fedoraproject.org/coprs/mreynolds/389-ds-base/
and dfas: http://copr.fedoraproject.org/coprs/dfas/389-ds-dfas/
first one seems to be a nightly and I would like to mantain an stable install. should I use dfas?
by the way, is the policy-packages situation going to be solved anytime? I found very confusing having to deal with several repos to get a full installation of 389 DS, and I though this spliting thing was temporary just for EL6.
thanks for your time,
We have a master - master replication agreement. When we initialize the replication it works perfectly we can see changes to a test user we have set up go up and down from the two servers. However at some point the replication stops and we cannot get replication to start once again. The only way we can get replication to start once again is to recreate the replication agreement and then it fails again. Can anyone please point us in a direction. I am relatively new to 389 so any help would be greatly appreciated.
Santos U. Ramirez
Linux Systems Administrator
National DCP, LLC
150 Depot Street
Bellingham, Ma. 02019
This email and any attachments are intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, do not copy or forward to any unauthorized persons, permanently delete the original and notify the sender by replying to this email.
Using two fully updated FreeIPA F20 masters with freeipa-
server-3.3.5-1.fc20.x86_64 and 389-ds-base-184.108.40.206-1.fc20.x86_64, I've
noticed that I'm getting a lot of the following errors in the 389 DS error
log, especially at server startup.
"No original_tombstone for changenumber=511851,cn=changelog!!"
Most often, the same changenumber repeats over and over, but there are some
other changenumbers listed as well. The changenumbers are different on each
My concern is I'm preparing my thought process about the upcoming upgrade from
F20 to F21 and it looks like I may need to create a new FreeIPA master and
"migrate" the Dogtag stuff, etc. rather than a simple "yum upgrade" on each
What is the proper way to correct for these apparent errors and get these
masters working with each other in a clean manner?
Anthony - https://messinet.com/ - https://messinet.com/~amessina/gallery
8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E
The documentation for register-ds-admin.pl says the following:
"The register-ds-admin.pl script does not support external LDAP URLs, so
the Directory Server instance must be registered against a local Admin
Would there be any issues in creating the ldap entries that this script
creates in a remote configuration directory instead of a local one?
[image: fist]Alan Willis
Systems Administrator | Riot Games
Email: alwillis at riotgames.com
For, to speak out once for all, man only plays when in the full meaning of
the word he is a man, and *he is only completely a man when he plays*. -
J.C. Friedrich von Schiller - Letters upon the Æsthetic Education of Man